FIN6
Aliases: Magecart Group 6, ITG08, Skeleton Spider, TAAL, Camouflage Tempest
FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.
Open interactive actor investigation
ATT&CK techniques
T1560.003
Archive via Custom MethodT1566.001
Spearphishing AttachmentT1087.002
Domain AccountT1059
Command and Scripting InterpreterT1572
Protocol TunnelingT1213
Data from Information RepositoriesT1027.010
Command ObfuscationT1059.007
JavaScriptT1102
Web ServiceT1005
Data from Local SystemT1547.001
Registry Run Keys / Startup FolderT1059.003
Windows Command ShellT1588.002
ToolT1070.004
File DeletionT1003.003
NTDST1134
Access Token ManipulationT1562.001
Disable or Modify ToolsT1068
Exploitation for Privilege EscalationT1204.002
Malicious FileT1036.004
Masquerade Task or ServiceT1566.003
Spearphishing via ServiceT1059.001
PowerShellT1560
Archive Collected DataT1553.002
Code SigningT1021.001
Remote Desktop ProtocolT1119
Automated CollectionT1018
Remote System DiscoveryT1053.005
Scheduled TaskT1569.002
Service ExecutionT1046
Network Service DiscoveryT1048.003
Exfiltration Over Unencrypted Non-C2 ProtocolT1047
Windows Management InstrumentationT1110.002
Password CrackingT1555
Credentials from Password StoresT1095
Non-Application Layer ProtocolT1078
Valid AccountsT1573.002
Asymmetric CryptographyT1003.001
LSASS MemoryT1555.003
Credentials from Web BrowsersT1074.002
Remote Data StagingT1069.002
Domain GroupsT1074.001
Local Data Staging
Archive via Custom MethodT1566.001
Spearphishing AttachmentT1087.002
Domain AccountT1059
Command and Scripting InterpreterT1572
Protocol TunnelingT1213
Data from Information RepositoriesT1027.010
Command ObfuscationT1059.007
JavaScriptT1102
Web ServiceT1005
Data from Local SystemT1547.001
Registry Run Keys / Startup FolderT1059.003
Windows Command ShellT1588.002
ToolT1070.004
File DeletionT1003.003
NTDST1134
Access Token ManipulationT1562.001
Disable or Modify ToolsT1068
Exploitation for Privilege EscalationT1204.002
Malicious FileT1036.004
Masquerade Task or ServiceT1566.003
Spearphishing via ServiceT1059.001
PowerShellT1560
Archive Collected DataT1553.002
Code SigningT1021.001
Remote Desktop ProtocolT1119
Automated CollectionT1018
Remote System DiscoveryT1053.005
Scheduled TaskT1569.002
Service ExecutionT1046
Network Service DiscoveryT1048.003
Exfiltration Over Unencrypted Non-C2 ProtocolT1047
Windows Management InstrumentationT1110.002
Password CrackingT1555
Credentials from Password StoresT1095
Non-Application Layer ProtocolT1078
Valid AccountsT1573.002
Asymmetric CryptographyT1003.001
LSASS MemoryT1555.003
Credentials from Web BrowsersT1074.002
Remote Data StagingT1069.002
Domain GroupsT1074.001
Local Data Staging